On February 24, 2022, on the eve of Russia’s invasion of Ukraine, KA-band satellite tv for pc supplier Viasat turned the primary outstanding sufferer of Russian cyber aggression when a wiper assault turned off tens of 1000’s of Viasat’s authorities and business broadband clients’ modems.
At this yr’s Black Hat and DEF CON conferences, Viasat representatives spelled out how the assault occurred, highlighting the incident response classes they discovered.
Within the Black Hat discuss, Mark Colaluca, vice chairman and CISO at Viasat Company, and Kristina Walker, who was the chief of protection industrial-based cybersecurity throughout the Nationwide Safety Company’s (NSA) Cybersecurity Collaboration Heart (CCC), supplied the detailed steps that befell earlier than the modems turned inoperable, throughout the assault, and afterward, relying partly on what subsequent investigations revealed.
How the Viasat assault unfolded
In line with Colaluca, on February 23, at round 5 p.m. native time, earlier than the modems have been disabled, somebody tried to log right into a Viasat equipment utilizing a number of units of legitimate credentials, though these makes an attempt failed. An hour later, “there was a profitable unauthorized entry by that VPN, which landed within the core node, however nothing occurred,” at the very least initially, Colaluca mentioned. About two hours after that, the attackers accessed the administration server that was in place contained in the core node with a unique set of credentials.
“From that time, over the following three to 4 hours, the attackers did a few issues,” Colaluca mentioned. “One, they went to a community operations server that was current there, and its major function was modem diagnostics, modem well being, and what number of modems are on-line. In order that server had entry to all of the modems within the community in these two partitions, and so they did recon work.”
The assault appeared focused, with the attackers in search of specific units of modems in sure areas for particular clients and particular features, studying what number of modems have been on-line. An hour later, at about midnight, the attackers accessed Viasat’s FTP server, part of the infrastructure that delivers new software program or updates to the modems. They dropped a wiper binary together with scripts to enumerate the community, interrogate it, and report again the standing after the scripts accomplished execution.
